Starcraft II is running pretty nice in my current rig (MacPro4,1 + ATI Radeon 4870), but I’ve read that the 5870 is substantially faster – double the VRAM, too.

Starting yesterday, I began to receive emails from various facebook friends, wherein they warned me that perhaps my fb account had been hacked. It seems my fb friends were getting invites for a ‘free ipad’ from me. I don’t have any way to tell whether my account has actually been hacked, but I was able to log in with my current password, change the password, and then disable the account.

I’ve seen this kind of thing before from other users… legit-looking invites that are probably faked somehow. I don’t really know, don’t really care, except that facebook has just become more trouble than it’s worth. I now retreat to platforms where messages are not sent on my behalf, ever. Feel free to follow me via Twitter @GuacamoleQueen. You can find my generic, life-oriented musings here: http://dreness.com

–

Here’s a short bit of UI scripting I use to wrangle the MouseZoom prefpane, which I require prior to playing Quake4 to get just the right mouse acceleration curve. Even though it’s just an extra click-and-wait, the whole 32 / 64 bit prefpane shuffle has me kinda annoyed, hence this script.

tell application "System Events"
	tell application "System Preferences"
		activate
		set current pane to pane id "com.benhines.mousezoompp"
	end tell
	delay 1
	tell process "System Preferences"
		click button "OK" of sheet 1 of window "Loading MouseZoom…"
                             --that's an elipsis! accessibility inspector ftw
		delay 2
		keystroke tab
		keystroke tab
		keystroke ".02"
		keystroke tab
	end tell
end tel

The problem is that when in screen, some ‘full-screen’ curses based apps like vim or mutt will cause screen to render empty space as white space… like for example all the space between the end of a line and the right side of the window. Normally this is not a problem. Who cares if it’s white space at the output rendering layer, right? Well, as it turns out, the guy on the other end of the clipboard really cares, even if you are that guy. Trust me. He’s actually kinda angry that it’s taken this long for his lobbying efforts to bear fruit.

Anyway, the fix is to employ the services of background color erase, known on the street as bce.

The correct setting for me is: on, although I can’t really deduce that from the above description. Basically I just showed up in #screen on freenode, started mumbling, and somebody was like “… bce on?”, which was enough for me to arrive at the following .screenrc additions:

defbce on
term screen-bce

Here’s a short demo of expected behavior outside of screen, broken behavior in screen, and then fixed behavior.

security dump-keychain -d /Library/Keychains/System.keychain | \
grep '"svce"<blob>="Mac OS X Server certificate management"' -A 3 | tail -n 1

Typically this is most useful right before you say something like the following, which writes out a decrypted version of the private key (after you supply the passphrase, of course :)

openssl rsa -in key.pem -out decrypted-key.pem

The concept here is to use apt to satisfy as many of the CalendarServer dependencies as possible, then let the ‘run’ script do the rest. I’ve tested this numerous times, and it works pretty flawlessly. I’ll have more detailed content later, but I just wanted to get the quick steps out there for any bleeding edgers out there…

1) edit /etc/fstab to enable xattrs by adding the “user_xattr” option.

e.g. (all on one line):

UUID=8f2bb850-0e8f-4d81-bba5-fb93ef9b9990 /               ext4    errors=remount-ro,user_xattr 0       1

after doing the above you need to reboot, or “sudo mount / -o remount”

2) sudo apt-get build-dep postgresql

3) sudo apt-get install python-setuptools python-xattr python-twisted subversion curl

4) svn co http://svn.macosforge.org/repository/calendarserver/CalendarServer/trunk CalendarServer

5) cd CalendarServer ; ./run -s

… at this point, if all goes well, you should be prompted with a message indicating that there is no config file. Run the suggested command to use the sample config file. You can then start the server with run -d, and run the protocol tests using the ‘testserver’ script.

And lo, it did work, for a time. Imagine my surprise when 2 out of 20 of my mac mini-ons became unusable for my nefarious purposes of generating ical server load because the data volume used by the load simulator was somehow mounted read-only! The two failing minions also happened to be the two that were recently rebooted, after moving their power cables to different power circuits (to prevent blowing breakers, but that’s a whole other story). I didn’t ask for this crazy read-only nonsense!

Volumes get mounted read-only early at boot time, every time you boot, and that is normal. Usually, they are very quickly re-mounted in read-write mode, which is… ya know, more useful and stuff. My best guess at the fail here is that some part of the logging subsystem tried to open /Volumes/foo while it was still read-only, and SUCCEEDED when it probably should have failed. After all, what is the point of a logging system that mounts its log targets read-only, other than to prevent re-mounting of that filesystem read-write!

It appears that this happens. So, don’t do it, unless you wanted both no logging and a read-only data volume.

Recovering from this was not as easy as it should have been. On the first minion, I actually got beyond nuking /Volumes/foo until I remembered the /var/log symlink, so then I removed the symlink, re-created /var/log, and rebooted – this fixed minion number one. The SECOND minion was weirder. I removed the /var/log symlink, made a local /var/log, then rebooted – but /Volumes/foo still came back read-only! What?! Well I’m on a schedule so I just blew that one away too (diskutil eraseVolume), and then it came back ok – *after another reboot*. Funky.

At first blush, the “Get Value of Variable” action seems like it can only really be used in conjunction with “Set Value of Variable”. You’d use “Set” to catch the output of some upstream object, and then store the value for later use.

For those actions which do not support direct use of variable objects (e.g. “Name Single Item in Finder Item Names), one might instead try to pass the variable data as input, by connecting the input of a “Run Applescript” object to the output of “Get Value of Variable”, as long as you’re prepared to hand-write the stuff you need in Applescript.

That’s all well and good, until you realize that you need to use more than one variable in your “Run Applescript” object. For example, let’s say you’re writing a file re-namer – you might need to pass in the file extension of the ‘old’ file name, as well as the ‘new’ file name. “Get Value of Variable” can only recall a single variable’s value.

Here’s the trick: “Get Value of Variable” ALSO acts as a pass-through for whatever it receives on input, which allows you to stack multiple “Get Value”s, and then connect them to “Run Applescript”. In the “Run” object, the value of ‘input’ will be a list of the values received. In the below example, I’ve got a pair of “Get”s under another object which outputs a file / folder reference, then all of that output is dumped into a “Run” object. Those values are then accessed in the standard fashion: “the first text item of input”, “the second item of input”, etc.

Finally, the “Get Value” behavior of accepting input can be disabled by control-clicking on the “Get Value of Variable” title text on the object.

This is all in the context of configuring LDAP mappings using Directory Utility, one of the many topics covered in this PDF from Apple. The following content would fit in around page 149.

In addition to configuring custom mappings by referring to existing attributes by name (e.g. repurposing an unused attribute), you can also create local mappings that are either static or dynamic. A static mapping for an attribute means that a specified text string will be returned when the attribute is queried, instead of checking the actual record on the directory server. A local variable mapping allows you to compose the value from a mixture of supplied text strings and also references to other attribute values.

Background: LDAP Mappings
First, let us visualize what a mapping is. To really see this work on your own machine, you’ll need to be connected to some real LDAP service. Check out these steps if you’re unsure how to get at the LDAP mapping configuration in Directory Utility. In general, the process of ‘mapping’ is used to express relationships between the schema of different directory systems. There is a ‘standard’ name space that is used by Mac OS X to describe things that it needs to talk about (e.g. the name of the attribute that holds the user id). This standard name space is so-called because it is agnostic of any specific directory data storage backend. There are also ‘native’ name spaces for each backend that are used to refer to the things in that directory store.

Let’s say I have a user account in an LDAP directory, and I want to look up the unix ID and the value in the ‘comment’ field. The ‘standard’ names for these attributes are UniqueID and Comment. You can find the full definition of Apple’s ‘standard’ name space on page 273 of the aforementioned PDF.

{28} andre@donk [~] % dscl /Search read /Users/dre UniqueID Comment
Comment:
 just this guy, you know...
UniqueID: 42

If we add the -raw option, we see the name space that is associated with the attributes:

{29} andre@donk [~] % dscl -raw /Search read /Users/dre UniqueID Comment
dsAttrTypeStandard:Comment:
 just this guy, you know...
dsAttrTypeStandard:UniqueID: 42

dsAttrTypeStandard is the prefix for ‘standard’ attributes. Now let’s look in the LDAP mapping configuration to observe how these standard attributes are mapped to native attributes on the LDAP server:

For this LDAP configuration, whenever we get a query for the Comment attribute of a user record, we will look up the ‘native’ attribute named ‘description’. Using dscl, we can ask for things using either the native or standard name.

{30} andre@donk [~] % dscl -raw /Search read /Users/dre \
UniqueID Comment description UidNumber
dsAttrTypeNative:description:
 just this guy, you know...
dsAttrTypeNative:UidNumber: 42
dsAttrTypeStandard:Comment:
 just this guy, you know...
dsAttrTypeStandard:UniqueID: 42

To change the mapping, simply add or remove items from the right-side list. One common use case for a customized mapping is when the Mac OS X client is connecting to a directory service that doesn’t have a defined attribute for storing a piece of data that is required by Mac OS X. You might choose to  instead re-purpose an existing but unused attribute to store this data. To pull that off, you simply add the mapping for the appropriate ‘standard’ attribute, using the native name of the re-purposed attribute.

Local Static Mappings
Suppose that you want all clients to use the same specific value for a given attribute. In this case, a local static mapping will do the trick. Let’s say for this example that I want to create a local static mapping for the “Street” attribute. I currently have no value for that attribute in my user record:

{32} andre@donk [~] % dscl -raw /Search read /Users/dre Street
No such key: Street

Let’s add one. Click “Add…” under the right-side list. Normally this is where you’d type the name of some attribute. To treat the supplied text as a literal value instead of an attribute name to look up, prefix with a hash sign (#).

Now when we do the same query as before:

{37} andre@donk [~] % dscl -raw /Search read /Users/dre Street
dsAttrTypeStandard:Street:
 Shakedown Street

This also demonstrates that you’re allowed to have multiple mapped values, although the results aren’t that interesting yet… read on.

Local Variable Mappings
Local variable mappings are just a twist on the above. A good example is using a variable that represents the user’s short name to compose a home directory path. Click “Add…” and enter the text #/road/to/$uid$. Next, drag the entry you just created above the existing homeDirectory entry. The order in this list determines the order that results are returned. For attributes that are supposed to be single-value (like this one), that means that the requestor will only get the first result.

{40} andre@donk [~] % dscl -raw /Search read /Users/dre NFSHomeDirectory
dsAttrTypeStandard:NFSHomeDirectory: /road/to/dre
/Network/Servers/host.orange.com/Volumes/yowza/dre

At the Open Directory layer, we see that there are actually two values returned – our local variable mapping, and also another (obfuscated) result that came from the LDAP server. What happens if we actually request this data using a ‘real’ directory services client?

{2} andre@donk [~] % cd ~dre
cd: no such file or directory: /road/to/dre

We see that ‘cd’ only gets one result – the first one in the list. Of course it’s a dead end, because this is just an example!

Don’t forget…
Everything you’ve seen here is 100% client-side, and only applies to the computer you used to configure the custom mappings. If you find yourself running around configuring custom mappings on a bunch of computers, you are probably doing it wrong – in this case, please check out the handy “Write to Server…” button. This publishes the custom mappings to the LDAP server where they will be automatically downloaded by other Mac OS X Clients – provided that the LDAP server has the required support for hosting this data; it wants to put this data in a record under Config called macosxodconfig, in an attribute called ‘description’. Here’s a nice techworld article that provides an example of all this from start to finish.

<?
phpinfo();
?>

The problem is the opening <?, which is in ‘short’ form. The long / normal form of the open tag would be <?php. If you don’t feel like editing all your scripts, you can simply declare the following in your /etc/php.ini:

short_open_tag = On

To further illustrate the change, consider the following command results, produced on a Snow Leopard Server that was upgraded from Leopard:

bash-3.2# grep 'short_open' /etc/php*default*
php.ini.default:; short_open_tag
php.ini.default:short_open_tag = Off
php.ini.default-5.2-previous:short_open_tag = On
php.ini.server-default:; short_open_tag
php.ini.server-default:short_open_tag = Off

Macports users may sudo port -d selfupdate to retrieve the updated Portfile (and new patch file).

Details: https://trac.macports.org/ticket/20198

The ATI HD 4870 video card is a nice upgrade from the NVidia 8800 GT (my current card), however it’s not supported on the first generation Mac Pro (my current Mac Pro). Apple’s site states:

Compatibility:

• Requires Mac Pro (Early 2009 with 1066MHz DDR3 memory) or Mac Pro (Early 2008 with 800MHz DDR2 FB-DIMM memory) with PCI Express 2.0 slot

(The MacPro1,1 has 667 MHz DDR2 memory). I heard a rumor on the internets that this card DOES in fact work on a MacPro1,1 – with no issues or weirdness, so I had to try. My card arrived yesterday, and I’m here to report that indeed, it seems to work fine!

So far, I’ve only tried it in WoW and Motion, but so far so good… Well except for the fact that the ATI driver in 10.5.7 breaks 3d acceleration in VM guests… oh wells.

The question remains: why is this card not supported on the first-gen Mac Pro?

I’ve seen people tagging twitter messages with things like #foo or #bar. I haven’t read the RFCs on this behavior (heh), but I’m guessing that these are really just tags, used to create relationships between twats (that’s right). I have NOT seen any notion of verbosity level, which is the one thing that twitter desperately needs. Just for you, here’s my million dollar idea. Please, take the challenge. I can’t do it cause I have handcuffs… but really, I wouldn’t even if I didn’t. I think the trickiest part of all this is that many of the people who would fix this are themselves the worst offenders, so performing my suggestion would constitute an admission that they themselves are often uninteresting. If that’s you, please understand that I mean no offense… I’m mostly uninteresting as well (the difference is that I don’t share it with the world). Just think of this as a way to refrain from driving users off your ‘platform’.

All twitter clients should support tagging outbound messages with a ‘priority’ of 0 through 9. Twitter users are not required to tag their twats (that’s right) with a verbosity level, but they are encouraged to do so.

All twitter clients should support a verbosity filter for the main messages view. I would implement this as a slider that effects the UI as you drag it up or down from 0 to 9. This would easily allow a reader to start at 9 and slowly drag down, seeing messages appear in order from most to least ‘important’ (still sorted by age).

Now, here’s the key. It is only natural that many or most of your followees (leaders?) will use what you consider to be an incorrect verbosity level for some or all of their messages. That’s why the client supports the notion of TwatFactor, a per-user setting which is a simple mathematical function applied to the verbosity level of all inbound messages from a given user. This could be as simple as “whatever that guy set, minus 3″, or something more debonaire like some kind of non-linear scaling factor that gets more or less ‘sensitive’ as you approach the extremes of the scale.

Extra credit: anonymously publish and consume TwatFactor settings from other users, the end result of which could be a bona-fide self balancing system where all users get just the amount of content they want.

Go!

perhaps you look into it, carefully examining logs, and suspect that this is probably related to time machine backups (which is the exclusive use of this disk, and which surely does involve a lot of disk activity), and think you can be clever by simply turning off Time Machine and unmounting this volume to work around those unsightly panics. but no. no, I say.

Any time I had to reboot, I would always make sure to unmount this volume immediately. With it unmounted, I reasoned, the disk should just sit there unused… defective, but dormant.

This is wrong. I would still hear this disk spin up and down followed by kernel panics. The volume was not actually being mounted, according to the kernel… so who knows what was making it spin up and down. Something.

So, when your seagate 1.5 TB hard drive begins to fail: take the 3 minutes to shut down and disconnect it from your computer.

Walking around more, I find that I’ve got a directory for myself (as observed via the file permissions) with the following contents:

drwx------  35 andre  staff  1190 Oct 27 19:34 -Caches-
drwx------  12 andre  staff   408 Oct 27 21:03 -Tmp-
drwxrwxrwx@  3 andre  staff   102 Oct 27 20:42 Cleanup At Startup
drwxr-xr-x   2 andre  staff    68 Oct 27 19:26 TemporaryItems

The -Caches- folder contains application directories in the reverse domain notation, e.g. com.apple.Safari, or com.apple.mail or com.blizzard.worldofwarcraft. All of these directories seem to have at least one file: Cache.db. hmm… ok, database. fun. Let’s see what’s in it!

{56} andre@gyro [-Caches-/com.apple.Safari] % file Cache.db
Cache.db: SQLite database (Version 3)

Cool! I can do sqlite3…

{74} andre@gyro [-Caches-/com.apple.Safari] % sqlite3 Cache.db
SQLite version 3.4.0
Enter ".help" for instructions
sqlite> .tables
cfurl_cache_blob_data       cfurl_cache_schema_version
cfurl_cache_response     
sqlite> .schema cfurl_cache_response

(this produces output with really long lines, so let’s hop back to the shell right quick)

sqlite3 Cache.db ".schema cfurl_cache_response" | fold -s
CREATE TABLE cfurl_cache_response(entry_ID INTEGER PRIMARY KEY AUTOINCREMENT
UNIQUE, 		     version INTEGER, hash_value INTEGER,
storage_policy INTEGER, request_key TEXT UNIQUE, 		     time_stamp
NOT NULL DEFAULT CURRENT_TIMESTAMP);
CREATE INDEX request_key_index ON cfurl_cache_response(request_key);
CREATE INDEX time_stamp_index ON cfurl_cache_response(time_stamp);

ok, back in sqlite3 interactive mode now:

sqlite> .mode line
sqlite> select * from cfurl_cache_response where entry_ID=1;
      entry_ID = 1
       version = 0
    hash_value = -1475899696
storage_policy = 0
   request_key = http://i.cdn.turner.com/cnn/.element/css/2.0/pgaleader.css
    time_stamp = 2008-10-28 01:55:10
sqlite>
sqlite> select * from cfurl_cache_response where entry_ID<4;
      entry_ID = 1
       version = 0
    hash_value = -1475899696
storage_policy = 0
   request_key = http://i.cdn.turner.com/cnn/.element/css/2.0/pgaleader.css
    time_stamp = 2008-10-28 01:55:10

      entry_ID = 2
       version = 0
    hash_value = -763438389
storage_policy = 0
   request_key = http://i.cdn.turner.com/cnn/.element/css/2.0/main.css
    time_stamp = 2008-10-28 01:55:10

      entry_ID = 3
       version = 0
    hash_value = 1822950361
storage_policy = 0
   request_key = http://www.cnn.com/
    time_stamp = 2008-10-28 01:55:10

Neat! Ok ok, here’s the cross-app url cache searching code:

#!/bin/bash
# Here's a little ditty that does keyword searching across all the URLs in your
# /var/folders caches directory - the one returned by
# /usr/bin/getconf DARWIN_USER_CACHE_DIR

# Search term comes in as first command line argument
# -v is an optional second argument to list databases are they are searched
SEARCH=$1
VERBOSE=0

if [ ! $SEARCH ]
then echo "Usage: $0 [search term] [-v]"
exit
fi

if ( [ -n "$2" ] && [ $2 == "-v" ] )
then VERBOSE=1
fi

CACHE=`getconf DARWIN_USER_CACHE_DIR`

ls -1 $CACHE/*/Cache.db | while read db
	do
	echo -n ""
	if [ $VERBOSE == "1" ] ; then echo "   Searching $db" ; fi
	sqlite3 $db "select request_key from cfurl_cache_response where \
		request_key LIKE'%$SEARCH%';"
	done

Probably safe to not depend on any of this being available or staying the way it is in future versions of Mac OS X… but for now at least, it’s here and contains data. In case you were wondering, Safari doesn’t log here when private browsing is enabled :)

 

They have an iPhone app called GPS Tracker that pushes the coordinates up.

One simple example would be the shutdown or restart event. When the user clicks Restart, loginwindow posts a notification called com.apple.loginwindow.restartinitiated. Various other processes who have registered to receive this notification will now know that a restart is coming (soon!). A lot of stuff begins to happen to prepare the machine for a reboot. Getting that event notification from userspace out in a timely fashion to all the various custodians who need to do work is key to the whole operation.

I see two primary use cases for such a notification system: 1) You are authoring software that creates events that others (perhaps even other parts of your own software, running in a different context) need to respond to, or 2) you wish to respond to a notification for a certain event that you know is being posted by someone else.

The first case is succinctly demonstrated by the example in the man page for notifyutil. To expand on it just a bit, and more clearly demonstrate the common case of there being some indeterminate time delta between registering for a notification and receiving it, consider this example:

Open a Terminal window. Execute:

date; notifyutil -t -1 some.pants ; say 'zomg'

Open another Terminal window, but keep the first one in view. In your mind, count to ‘d’, and then execute:

notifyutil -p some.pants

In the first window, you see that a notification for some.pants was received roughly ‘d’ seconds after the registration occured, and if your audio volume is up, you hear that Mac OS X does not know how to pronounce ‘zomg’.

The second case of responding to notifications generated by others is less obvious, since in normal operation, all of these notifications are invisible to the user. You have to know the name of a notification to register for it. The fun begins when you remember to ask the question “how do I find out what notifications are being posted?”. The answer might be obvious to anyone who read the man page! notifyd is our friend, buddy. As all this is open source, we could confirm our suspicions that notifyd probably logs to ASL, and sure enough, in notify_proc.c, we see :

log_message(ASL_LEVEL_DEBUG, "__notify_server_post %s", name);

Ok! So all we need to do is ask ASL to show us debug messages for notifyd.

sudo syslog -c notifyd -d

At this point, the messages are theoretically being sent. However, the default data store (i.e. that which you can examine with the Console app) still isn’t listening, so we also need:

sudo syslog -c syslogd -d

Next you should make a new log database query using Console:

Now you can just sit back and watch the notifications roll in! For example, if I choose Restart from the Apple menu:

__notify_server_post com.apple.loginwindow.likelyShutdown
__notify_server_post com.apple.loginwindow.restartinitiated

and then a few seconds later, after I click Cancel:

__notify_server_post com.apple.loginwindow.logoutcancelled

At this point, you should be armed with enough information to find out what events are flying around, and then attach an action of your choosing to events of interest. Have fun!

Update: you can disable the debug logging as follows:

sudo syslog -c syslogd -n

sudo syslog -c notifyd off

Have a Time Capsule or Mac OS X Server configured to provide network time machine backups? Of course you do! Let’s examine the client / server interaction.

The Time Machine preference pane provides a list of available backup volumes. This list includes local volumes as well as network volumes. Mac OS X makes extensive use of multicast dns for service discovery, so let’s check there first. Get yourself a copy of Bonjour Browser, then fire it up and look under ‘local’ for things that seem interesting. Ooo there’s one called “adisk”, let’s check in there…

From http://www.dns-sd.org/ServiceTypes.html we see:

adisk          Automatic Disk Discovery
                Bob Bradley <bradley at apple.com>
                Defined TXT keys: sys, dkX

We could read a bit more about service discovery via multicast dns to learn that:

DNS-SD uses DNS TXT records to store arbitrary name/value pairs
conveying additional information about the named service. Each
name/value pair is encoded as its own constituent string within the
DNS TXT record, in the form "name=value".
...
The intention of DNS-SD TXT records is to convey a small amount of
useful additional information about a service. Ideally it SHOULD NOT
be necessary for a client to retrieve this additional information
before it can usefully establish a connection to the service. For a
well-designed TCP-based application protocol, it should be possible,
knowing only the host name and port number, to open a connection
to that listening process, and then perform version- or feature-
negotiation to determine the capabilities of the service instance.
For example, when connecting to an AppleShare server over TCP, the
client enters into a protocol exchange with the server to determine
which version of the AppleShare protocol the server implements, and
which optional features or capabilities (if any) are available.

Ok, so there’s a record there, and along with the standard parts of the record, there are two additional key / value pairs in the text record portion. The meaning of the keys and values is probably only known for sure by Time Machine and friends, but certainly some of that data looks familiar.

First there’s the IPv4 address… that’s probably provided automatically when the record is published, based on the machine’s current IP address. IPv6 address follows, again we needn’t worry about that. The port number is listed at 9, which is ‘discard’, so this is probably not used. What port *is* used, then? Well, we know that Time Machine over the network supports either AFP or SMB, so it’s going to be one of those two. Seems like AFP would be most common, just since it is the APPLE file protocol and whatnot…

Then we have the sys and dk0 items… well I dunno what waMA means (something something mac address?), but what follows certainly looks like a MAC address… and sure enough, it matches the MAC address on my Time Capsule.

Note also that the second key in the shown record is dk0, whereas the spec says the defined TXT keys are “sys, dkX”. The “X” here suggests that there might be more than one of these keys, and they are numbered starting from 0 and counting up. Let’s pick appart the dk0 entry.

dk0=adVF=0xa1,adVN=backupz,adVU=AF9AC8F1-BCF5-3E63-9EBD-CD171CF5061B

• adVF: no idea
• adVN: hmm… another “adV” prefix. air disk volume? air disk volume name?
• adVU: air disk volume UUID! (I think)

Ok, now let’s have some fun. Fire up file sharing. Click the little + button to create a new share point. Select a folder / volume that has some eh… free space on it :) The name of the folder / volume as it appears in the list of share points is the AFP share point name, so we should try to use that for ‘adVN’.

Next, use diskutil to find the UUID for the volume on which your new share point resides. The argument after “info” is the path to the volume. “/” for the boot volume, “/Volumes/whatever” for something other than the boot volume.

sudo diskutil info / | grep "UUID"

Finally, find your system’s MAC address (the one that corresponds to your primary network interface).

netstat -rn | grep default | awk '{print $6}' | xargs ifconfig | grep ether

Now we should have enough information to try to create a record. Looking at the man page for dns-sd, we see the basic usage for registering a record is:

dns-sd -R name type domain port [key=value ...]

Let’s try it! We still don’t know what adVF is, so we’ll just use 0xa1 like the Time Capsule does and see what happens. In the command below, replace 00:11:22:33:44:55 with your MAC address, “Backupz” with your new share point name, and “AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE” with the UUID of the volume on which your share point resides.

sudo dns-sd -R "Back it on up" "_adisk._tcp." "local" "9" \
        "sys=waMA=00:11:22:33:44:55" \
        "dk0=adVF=0xa1,adVN=Backupz,adVU=AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"

You should see something similar to

Registering Service Back it on up._adisk._tcp..local port 9 TXT ...

Leave that window open. Open a new terminal window.

dns-sd -B _adisk._tcp

You should see your service instance listed. cntrl-c. Get the details:

dns-sd -L "Back it on up" _adisk._tcp local

Looks good. Now go to another mac on your local network. Open the Time Machine prefpane. Click “Choose Backup Disk…”.

Cool!

Limited testing has shown that once you pick a network Time Machine disk in this fashion, the multicast dns service advertisement record is no longer needed. Apparently the Time Machine client caches the information about the location of the network disk. Also, probably a good idea to make sure that your network time machine volume is not guest-accessible…

Here’s a little script to ease the process…

#!/bin/sh
# Instructions:
# 1. Use the Sharing preference pane to configure an AFP share point that will
# be your network backup volume. Connect from another mac using Finder -->
# Connect To Server. Make sure you can log in. Note the name of the AFP volume.
# 2. Use diskutil info to get the UUID from the volume on which your AFP
# sharepoint resides.
# 3. Customize the values below.

# Customize here
servicename="Back it on up"		# the name shown in parens in the TM browser
macaddy="00:11:22:33:44:55"		# MAC address of the AFP server
volname="backupz"				# AFP sharepoint name
voluuid="6E132F57-8292-4A73-9B37-5C0F82928E85" # volume UUID 

# 4. Make sure this script is executable (chmod +x), then run it. You will be
# prompted for your password (must be admin).
# 5. Go to your other mac, use the Time Machine prefpane to select your shared
# AFP volume. The other mac needs to be on the same local network.
# 6. After selecting the volume, you can cntrl-c this script to stop it.
# 7. Enjoy your network time machine backups!

# no touchy
servicetype="_adisk._tcp."
domain="local"
port="9"
adVF="0xa1"			# magic?

# we need at least two key / value pairs, like such:
# sys=waMA=00:1F:5B:34:BC:41
# something something Mac Address, I guess...
# dk0=adVF=0x0a1,adVN=TM Test,adVU=AF9AC8F1-BCF5-3E63-9EBD-CD171CF5061B
# dkn iterates starting with dk0, then dk1... these are backup volumes
# adVF is ... something. I used trial and error to find that 0xa1 works
# adVN is volume name
# adVU is volume UUID, which you can get from diskutil info.

# dns-sd -R name type domain port [key=value ...]
sudo dns-sd -R "$servicename" "$servicetype" "$domain" "$port" \
		"sys=waMA=$macaddy" \
		"dk0=adVF=$adVF,adVN=$volname,adVU=$voluuid"

Have fun :)

pastebin.ca was used to relay larger hunks of textual information; I’ve made local copies of the results since the pastebin pages expire in 1 month. Pastebin displays line numbers, and those numbers are used here to refer to specific portions of text… however, pastebin doesn’t seem to allow users to copy the text including line numbers, so I added those myself (awk ‘{print NR “. “$0}’ file)

16:44 <@dre^> re the kerberos question: still have to use ‘connect to’ to get kerberos
16:44 <@dre^> which is weird, because the browsing method is how you get kerberos for the LKDC realms, heh
16:44 <@dre^> at least for things like screen sharing
16:51 <@dre^> wow, /dev/random is slow
16:51 <@dre^> erps, ww
17:34 -!- ideopathic [n=ideopath@75-56-246-1.lightspeed.brbnca.sbcglobal.net] has joined #afp548
17:39 < SpaceBass> dre^, connect to server doesnt use the ticket either
17:41 < SpaceBass> and for that matter, screen sharing doesnt seem to consistantly use kerberos either
17:41 < SpaceBass> apple really broke things with the whole lkdc implementation
17:44 <@dre^> heh
17:44 <@dre^> if you can’t get kerberos via connect to, there is some other problem
17:44 <@dre^> lkdc works, kerberos works… if configured and used properly ;)
17:45 <@dre^> a quick list of things to check regarding kerberized services in general:
17:45 <@dre^> * are the client and the service service configured for the same kerberos realm?
17:45 <@dre^> * does the client have a valid kerberos principal in the kdc? can the client user kinit at all?
17:46 <@dre^> * does the service server have service keytabs in the kdc? if you kadmin –> listprincs on the kdc, do you see afpserver/hostname@REALM?
17:46 <@dre^> * does the service’s configuration know what principal name to use? this is in teh afp preferences in the case of afp server
17:48 < SpaceBass> dre^, hard to misconfigure Leopard Server – create the DNS, create the OD domain, join to the domain
17:48 < SpaceBass> there’s posts all over the apple forums about it…just though I’d see if anyone had identified a work around
17:49 <@dre^> have an example post?
17:49 <@dre^> I’ve used kerberos a ton
17:49 <@dre^> so I know it’s not always broken all the time
17:49 < SpaceBass> kinit works fine, and I get a ticket at login … but I cannot use that ticket via the finder for almost anything … it does work for SSH or mount_afp in the terminal
17:50 <@dre^> right, but pls distinguish between finder browsing vs finder connect to
17:50 < SpaceBass> ever leopard machine that joins the realm creates 3 enteries for each service … host.fqdn.com host.local and a random serial number for the LKDC /back to my mac stuff
17:51 < SpaceBass> so when you say connect to, do you mean GO menu –> connect to server?
17:51 <@dre^> yes
17:51 < SpaceBass> and it hasn’t been broken all the time … 10.4 worked flawlessly …
17:51 < SpaceBass> ok an in the connect to menu, what is the uri? I’m using afp://host … I have also tried host.domain.com and host.local
17:52 <@dre^> ah, .local…
17:52 < SpaceBass> ok, tried that and I get a box asking for user/pass
17:52 <@dre^> are you using .local in your actual DNS / realm names?
17:52 <@dre^> no. dont use .local unless you are forced to, heh
17:53 < SpaceBass> no, I have a private domain …
17:53 <@dre^> and yes, it shoudl be afp://fqdn.goes.here
17:53 <@dre^> also verify that afpserver’s auth settings are either “any method” or “kerberos”
17:53 < SpaceBass> ok…with afp://host.domain.com I get 2 different results …somtimes it fails right off the bat, others it asks for user/pass
17:54 <@dre^> so then you check the KDC logs to see what’s going on
17:54 <@dre^> but of course you probably don’t have access to those…
17:54 < SpaceBass> dre^, I hand checked each plist last night … that occured to me late in the game, and I was impressed to see that they all said any and kerb
17:54 <@dre^> which is the crappy part about debugging kerberos
17:54 < SpaceBass> the logs? I’m the admin
17:54 <@dre^> ok good. check the kdc log
17:56 < SpaceBass> ok…logs show me requesting a ticket for host.local
17:56 < SpaceBass> but I’m using fqdn and the afp plist shows the host.fqdn.com as the principal to use
17:57 < SpaceBass> I dont mind manually adding those principals but that seems broken to me
17:57 <@dre^> ok… what are your existing tickets? klist
17:57 <@dre^> you should not have to add .local principals
17:58 <@dre^> specifically, what’s the realm associated with your existing tickets (if any)
17:58 < SpaceBass> right now I just have the krbtgt
17:58 <@dre^> but in what realm?
17:58 <@dre^> a .local realm or ‘other’?
17:59 < SpaceBass> NSNET.cc
17:59 <@dre^> ok great
17:59 < SpaceBass> my realm
17:59 < SpaceBass> krbtgt/NSNET.CC@NSNET.CC
17:59 < SpaceBass> what I’d expect
17:59 < SpaceBass> and if I ssh into a linux server I get host/linux.nsnet.cc@
17:59 <@dre^> so the next step woudl probably be to verify the client-side kerberos configuration. get root and take a walk into /var/db/dslocal/nodes/Default/config
18:00 <@dre^> ok intersting, so the client-side config is probably correct
18:00 <@dre^> is the afp service running on the OD master?
18:00 < SpaceBass> dre^, yes, but I dont really have any shares there…mostly on leopard workstations
18:01 < SpaceBass> (and a linux box running netatalk, but I don’t expect anyone to help me troubleshoot that)
18:01 <@dre^> no problem, just getting the lay of the land… in particular, in that configuration, it’s very unlikely that your afp service would not have the required keytabs
18:01 < SpaceBass> in …../config … didn’t know about this dir
18:01 <@dre^> yes, that config dir is the authoritative spot for such configurations
18:01 <@dre^> /L/P/edu.mit.Kerberos is an externalized representation of data found here
18:01 <@dre^> and is really ‘for legacy purposes only’
18:02 < SpaceBass> cool … I’m used to /L/P/edu …
18:02 < SpaceBass> gotcha
18:02 < SpaceBass> good to know
18:02 <@dre^> yes it is. cause sometimes that translation breaks down
18:02 <@dre^> and you need to go see what’s up
18:02 <@dre^> ok… so the next thing I would do is…
18:03 <@dre^> stand by, but I have some awesome debugging steps for you
18:03 < SpaceBass> very apperciative
18:04 <@dre^> ok here goes
18:04 <@dre^> a) open a terminal and execute the following:
18:04 <@dre^> sudo syslog -c syslog -d
18:04 <@dre^> sudo syslog -c 0 -d
18:04 <@dre^> killall NetAuthAgent
18:04 <@dre^> kdestroy -A
18:04 <@dre^> syslog -w
18:04 <@dre^> b) start a connection in Finder using ‘connect to’
18:05 <@dre^> once you attempt a connection using the proper fqdn, enter a name / pw if prompted
18:05 <@dre^> then wait 30 seconds for syslog in teh terminal to catch up, then cntrl-c it
18:05 <@dre^> you should find ample / useful debugging info in the terminal (syslog) output
18:05 < SpaceBass> interesting
18:05 < SpaceBass> lots of info
18:05 <@dre^> but I can help make sense of it if you need
18:05 < SpaceBass> getting asked for user/pass for the share
18:06 < SpaceBass> checking the logs now
18:06 <@dre^> Look for KRBCreateSession, and right after that…
18:06 <@dre^> you should see the results of some realm_for_host calls…
18:07 < SpaceBass> now the kdestroy removed all tickets … expected ?
18:07 <@dre^> my guess is that such results are either wrong or missing
18:07 <@dre^> yes, expected
18:07 < SpaceBass> k
18:07 <@dre^> but this process should obtain new tickets
18:07 < SpaceBass> how would it get my password?
18:07 < SpaceBass> I dont have it saved in the keychain
18:08 < SpaceBass> right after the KRBCreateSession line I see:
18:08 < SpaceBass> (and I can’t cut/paste b/c I’m using two different machines)
18:09 < SpaceBass> parse_principal … decomposing afpserver/osx5.nsnet.cc@NSNET.cc (seems correct)
18:09 <@dre^> ok
18:10 <@dre^> and you probably do have it in your keychain if you got in without authing
18:10 -!- SpaceBass2 [n=SP@96.228.61.195] has joined #afp548
18:10 <@dre^> ok, so that means that afp server is returning the expected principal name
18:10 < SpaceBass2> flood warning
18:10 < SpaceBass2> : [[[ KRBCreateSession () - required parameters okay
18:10 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: [[[ parse_principal_name () decomposing afpserver/osx5.nsnet.com@NSNET.COM
18:10 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: ]]] parse_principal_name () – 0
18:10 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: KRBCreateSession: processed host name = osx5.nsnet.com
18:10 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: KRBCreateSession: last char of host name = 0x6d
18:11 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: KRBCreateSession: getaddrinfo = success (0)
18:11 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: KRBCreateSession: canonical host name = osx5.nsnet.com
18:11 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: [[[ realm_for_host: hostname=osx5.nsnet.com hintrealm=NSNET.COM
18:11 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: realm_for_host: krb5_get_host_realm returned unusable realm!
18:11 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: ]]] realm_for_host: failed to determine realm
18:11 <@dre^> ah ha
18:11 < SpaceBass> dre^, I did NOT get in without authing … I got the finder prompt for user/pass
18:11 <@dre^> ok that’s good
18:11 <@dre^> and expected
18:12 <@dre^> it definitely looks as though the client kerberos config is malformed somehow
18:12 <@dre^> since it thinks NSNET.COM is unusable
18:12 <@dre^> go ahead and kinit and paste in the TGT you get
18:12 <@dre^> or jsut klist if you already have one
18:12 < SpaceBass> ok…here’s the thing…its a brand spanking new Macbook pro … first thing out of the box…configured DNS, did updates, jointed to domain using directory utility.app
18:13 <@dre^> is that the client or afp server?
18:13 < SpaceBass2> Kerberos 5 ticket cache: ‘API:Initial default ccache’
18:13 < SpaceBass2> Default principal: ndawson@NSNET.COM
18:13 < SpaceBass2> Valid Starting Expires Service Principal
18:13 < SpaceBass2> 07/03/08 18:09:58 07/04/08 04:09:58 krbtgt/NSNET.COM@NSNET.COM
18:13 < SpaceBass2> renew until 07/10/08 18:09:58
18:13 < SpaceBass> client
18:13 <@dre^> hmm, ok
18:14 <@dre^> could you post or email me your /L/P/edu.mit.Kerberos?
18:14 <@dre^> dre@mac.com
18:14 < SpaceBass> can post – its short
18:15 < SpaceBass> pastebin at least
18:15 <@dre^> sure
18:15 < SpaceBass2> http://pastebin.ca/1061728

# WARNING This file is automatically created, if you wish to make changes
# delete the next two lines
# autogenerated from : /LDAPv3/vail.nsnet.com
# generation_id : 97528862
[libdefaults]
default_realm = NSNET.COM
[realms]
NSNET.COM = {
admin_server = vail.local
kdc = vail.local
}
[domain_realm]
.local = NSNET.COM
local = NSNET.COM
[logging]
admin_server = FILE:/var/log/krb5kdc/kadmin.log
kdc = FILE:/var/log/krb5kdc/kdc.log

18:16 < SpaceBass> thats a little different than I’m used to seeing – but its what apple generates
18:16 <@dre^> loading…
18:16 <@dre^> (slowly)
18:17 < SpaceBass> again, really appreciate the help
18:17 <@dre^> sure no prob :)
18:18 < SpaceBass2> I am surprised that apple’s automated processes seem to be broken
18:19 <@dre^> heh, well… I guess that’s good. one should ideally expect things to work properly without too much work :)
18:20 < SpaceBass2> exactly
18:21 <@dre^> ok it loaded finally
18:21 <@dre^> oh, lol
18:21 <@dre^> I see the problem :P
18:22 <@dre^> kdc = vail.local
18:22 <@dre^> vail.local should be a fqdn
18:22 < SpaceBass2> in the edu… ?
18:22 <@dre^> yes absolutely
18:22 < SpaceBass2> see, I thought the same thing, but what is that part about the aliasing?
18:23 <@dre^> theoretically in a perfect world this would be a valid configuration
18:23 < SpaceBass2> :D
18:23 <@dre^> the thing is that Kerberos makes assumptions based on host name / fqdn
18:23 < SpaceBass2> ok … if I change edu.mit.kerb …how do I get it to update the files in /var…/config
18:23 <@dre^> so you need to use the fqdn for the KDC that matches the host name portion of the kerberos principals
18:23 <@dre^> you should not change it
18:23 <@dre^> you should unbind and rebind using a fqdn and see what happens
18:23 < SpaceBass2> ok
18:24 < SpaceBass2> rebind using the fqdn of the server?
18:24 <@dre^> yes
18:24 < SpaceBass2> odd, b/c thats what I did
18:24 <@dre^> unbind / rebind the client
18:24 <@dre^> ok, then don’t do that
18:24 < SpaceBass2> glad to re-try
18:24 -!- dakine [n=sam@bas3-toronto01-1177779856.dsl.bell.ca] has quit ["This computer has gone to sleep"]
18:24 <@dre^> let’s verify the server configuraiton
18:24 < SpaceBass2> k
18:24 <@dre^> on teh OD master: sudo slapconfig -checkhostname
18:24 <@dre^> er, sorry
18:25 <@dre^> sudo changeip -checkhostname
18:25 < SpaceBass2> yeah , I figured thats what you meant :D … vail.nsnet.com
18:25 <@dre^> in general, it’s good to resist the temptation to hand-hack any config files, because doing so may break assumptions that apple makes about the contents of the files, in the cases where the same config files are maintained automatically by apple tools
18:26 < SpaceBass2> dre^, I’ve learned that the hard way before :)
18:26 <@dre^> so it says “there’s nothing to change” at the end?
18:26 < SpaceBass2> yes
18:26 <@dre^> ok good
18:26 < SpaceBass2> names match, nothing to change
18:27 <@dre^> does the server’s /L/P/edu.mit.Kerberos look the same?
18:27 <@dre^> it probably will…
18:27 < SpaceBass2> exactly the same
18:27 < SpaceBass2> (and that damn .local keeps throwing me off too)
18:27 <@dre^> yeah. it should be. that data is all downloaded by the client from the LDAP directory
18:28 <@dre^> (when you bind, a tool called kerberosautoconfig … well, does that)
18:28 < ideopathic> i’m following a long trying to learn a little about kerberos. where is the file located that you uploaded to pastbin?
18:28 < SpaceBass2> and, like I said…ssh and mount_afp work …
18:28 < SpaceBass2> ideopathic, /Library/Preferences
18:28 < SpaceBass2> ideopathic, this is a good one to follow :D learning a lot myself
18:28 <@dre^> there is still something wrong if it thinks your kdc is hosted by a .local thing
18:28 <@dre^> you’re supposed to get a fqdn there, e.g. vail.nsnet.com
18:29 <@dre^> ok, so let’s check your kdc configuration…
18:29 <@dre^> on the KDC (OD master): ps auxwww | grep krb
18:29 -!- dakine [n=sam@bas3-toronto01-1177779856.dsl.bell.ca] has joined #afp548
18:29 <@dre^> you shoudl see krb5kdc running and supporting at least one realm
18:29 < SpaceBass2> root 96 0.0 0.2 82512 2480 ?? S 25Jun08 0:15.03 /usr/sbin/krb5kdc -n -r LKDC:SHA1.B3567769537F126486F54B94C5B03C7A439C0F80 -r NSNET.COM -a
18:29 <@dre^> very interesting
18:30 <@dre^> so the KDC thinks it’s hosting two realms, the LKDC realm and the NSNET.COM realm
18:30 < SpaceBass2> yeah…theres those damn lkdc entries again
18:30 <@dre^> that’s fine, don’t fear the lkdc ;)
18:30 < SpaceBass2> oh but I do :D
18:30 <@dre^> perhaps this will aleviate your concern: http://www.dreness.com/wikimedia/index.php?title=LKDC
18:30 <@dre^> a little write-up I did about the LKDC
18:31 <@dre^> but that is beside the point
18:31 <@dre^> the question is: what broke between the KDC configuration and the population of the KerberosClientConfig record in OD
18:31 <@dre^> open workgroup manager
18:32 <@dre^> actually let’s just use dscl
18:32 < SpaceBass2> cool – good reading!
18:32 <@dre^> dscl /LDAPv3/127.0.0.1 (on the OD master)
18:32 < SpaceBass2> k
18:32 <@dre^> read /Config/KerberosClient
18:32 < SpaceBass2> I’ll warn you, my dscl-fu is weak
18:33 <@dre^> this should be similar to what you see in /L/P/edu.mit.kerberos (albeit formated differently)
18:33 <@dre^> true or false?
18:33 < SpaceBass2> checking -its xml …but close
18:33 <@dre^> mainly looking for vail.local
18:33 < SpaceBass2> yeah
18:34 < SpaceBass2> its there
18:34 <@dre^> ok
18:34 < SpaceBass2> as the KDC for nsnet.com
18:34 < SpaceBass2> nsnet.cc
18:34 <@dre^> this is the data that is downloaded by clients when they bind
18:34 <@dre^> wait
18:34 < SpaceBass2> ah!
18:34 <@dre^> nsnet.cc or nsnet.com!?!
18:34 < SpaceBass2> cc
18:34 < SpaceBass2> sorry
18:34 < SpaceBass2> er..com
18:34 < SpaceBass2> it is com
18:34 <@dre^> hehe
18:34 < SpaceBass2> and .com is correct
18:35 <@dre^> ok
18:35 < SpaceBass2> and if I’ve been saying .cc its an old habit
18:35 < SpaceBass2> but nsnet.com is a private domain …in that i do not own it on the interwebs
18:35 <@dre^> … that is not recommended ;)
18:35 <@dre^> you should use fake TLDs in that case
18:35 < SpaceBass2> yeah, stupid move that I made years ago and wish I could undo
18:36 <@dre^> e.g. nsnet.lan
18:36 < SpaceBass2> but I suspect trying to change the realm now would be pretty challenging
18:36 <@dre^> you can and should un-do it as a reasonably high priority
18:36 <@dre^> it could cause very hard to track down DNS ‘problems’
18:36 <@dre^> but we’ll talk about that later
18:36 < SpaceBass2> what I’d really like to do get a public domain and do a dual horizon dns … would make getting a comercial cert much easier
18:37 < SpaceBass2> but like you said, I can tackel that later
18:37 <@dre^> ok, so
18:37 <@dre^> now let’s look at /Library/Logs/slapconfig.log
18:37 <@dre^> might wanna slap that on pastebin
18:37 <@dre^> (on the OD master)
18:37 <@dre^> slapconfig.log records information about OD role changes, such as promotion to master
18:38 < SpaceBass2> assume there is nothing sensitive in there
18:38 <@dre^> nothing that you haven’t already told us :)
18:38 <@dre^> might be an admin account name
18:38 * SpaceBass2 pats his PFsense box
18:38 <@dre^> but certainly no passwords…
18:39 < SpaceBass2> http://pastebin.ca/1061749

http://dreness.com/bits/tech/applied_kerberos_troubleshooting/paste1

18:39 <@dre^> (although before tiger shipped, I did find admin passwords in that log… heh. fixed before ship though, thankfully…)
18:39 < SpaceBass2> ouch!
18:39 <@dre^> full disclosure: I work at apple
18:40 <@dre^> loading slow again…
18:40 < SpaceBass2> yeah? awesome
18:40 < SpaceBass2> full discolsure I’m a fan boy
18:40 <@dre^> hehe
18:40 * SpaceBass2 has 16 macs …personally … this is a home setup by the way
18:41 < SpaceBass2> and my wife is only tolerating me troubleshooting this right now b/c I’ve promised that she’ll be able to mount the media share again
18:41 <@dre^> haha
18:41 <@dre^> ok it’s loaded, reading
18:42 < SpaceBass2> k
18:42 < SpaceBass2> reading myself as its new to me
18:42 <@dre^> I see you had one false start
18:43 < SpaceBass2> yeah – in fact, the long history is that I did a tiger-leo upgrade and it failed several times … so I blew it away and re-created the OD from sctatch …and did indeed have a false start
18:44 <@dre^> hmm, looks like you’re merging in an OD backup from tiger
18:45 < SpaceBass2> I did try and pull in a backup – again failed … you should see where I eventually re-created by hand
18:45 < SpaceBass2> if memory serves ….
18:45 <@dre^> heh ok, still reading
18:45 < SpaceBass2> I did try and pull in the backup and then create new passwords, but I wasn’t getting user principals
18:46 <@dre^> upgrades are risky business…
18:48 <@dre^> ok, so if you look at line 247
18:48 <@dre^> that’s where it starts creating the wrong service principals
18:48 <@dre^> though there is no obvious indication of why it’s doing it wrong… between line 202 and 247 appears normal
18:49 < SpaceBass2> leme look
18:49 < SpaceBass2> the warnings?
18:49 <@dre^> no, the principal name itself
18:49 <@dre^> er, the hostname portion of the service principals
18:49 <@dre^> vail.local
18:50 < SpaceBass2> i see
18:50 <@dre^> intersetingly enough, when you kerberize other hosts, they work
18:50 <@dre^> e.g. telluride
18:50 <@dre^> that explains why ssh to linux is working
18:50 < SpaceBass2> telluride is a linux box – added by hand
18:50 <@dre^> *nod*
18:50 <@dre^> note line 327
18:51 <@dre^> the service principals are being created with the correct server name
18:51 < SpaceBass2> humm I cannot seem to get into kadmin
18:51 <@dre^> try kadmin.local as root
18:51 < SpaceBass2> but what I have observed in the past is that it creates 3 enteries for each OSX host
18:51 <@dre^> yes, that is fixed in 10.5.3
18:51 <@dre^> but only for ‘new’ installs :/
18:51 < SpaceBass2> is it?!?!
18:52 <@dre^> it’s not really a functional problem, more cosmetic
18:52 < SpaceBass2> I’m on 10.5.2 – been avoiding the upgrade b/c I wasn’t sure it was safe yet
18:52 <@dre^> well now it’s 10.5.4, heh
18:52 < SpaceBass2> even for server?
18:52 <@dre^> yes
18:52 < SpaceBass2> on .4 for clients
18:52 < SpaceBass2> cool
18:52 <@dre^> in general, updates ship at the same time for client and server
18:52 < SpaceBass2> I’ll update tonight if all goes well
18:52 < smultron> i updated
18:53 < smultron> no problems
18:53 <@dre^> well… if you don’t have a lot of stuff in your OD master, you should probably demote / promote
18:53 < SpaceBass2> interesting – I only see vail.local in the keytab
18:53 <@dre^> yes, that is a problem :)
18:53 <@dre^> you might be able to slapconfig -kerberize your way to nirvana… lemme see
18:53 < SpaceBass2> oh yeah it is! can’t belive I missed that
18:53 <@dre^> I’ve never really done that, since I always stop at the first sign of weirdness and start over
18:53 < SpaceBass2> I mean, I can add em if need be
18:54 <@dre^> in general, watch slapconfig.log like a hawk whenever you do OD stuff
18:54 < SpaceBass2> but, since osx1.nsnet.com is trying to connect to osx5.nsnet.com … does vail.local matter?
18:54 < SpaceBass2> would that break the “chain” so to speak?
18:55 <@dre^> well, it matters in the sense that vail’s services are kerberized using the wrong hostname
18:55 < SpaceBass2> (and hostname on the kdc reports vail.nsnet.com )
18:55 <@dre^> right, it’s just the self-kerberization that failed for some reason
18:56 <@dre^> ok, couple more things to check…
18:57 <@dre^> sudo sso_util info -r /LDAPv3/127.0.0.1
18:57 <@dre^> should return NSNET.COM
18:58 < SpaceBass2> ’tis
18:58 < SpaceBass2> nsnet.com
19:00 <@dre^> ok, so there is an sso_util command that can attempt to kerberize services on the OD master
19:00 <@dre^> sso_util configure
19:00 < SpaceBass2> oh…?
19:00 <@dre^> but this will make changes
19:00 < SpaceBass2> at this point, its not like I cannot rebuild again … data is on the clients and its all backed up
19:00 <@dre^> so before doing that, let me ask: how much stuff is in the OD master? How long would it take you to demote and promote, and recreate all of the users / kerberized hosts?
19:00 <@dre^> ok
19:00 < SpaceBass2> and rebuilding the OD master isn’t too hard
19:01 <@dre^> well depends on how much stuff is in it :) the idea is we don’t want to restore from an archive
19:01 < SpaceBass2> I’d really prefer not to do that…at least not tonight … but its “do-able”
19:01 <@dre^> as that will restore potentially bad data
19:01 <@dre^> well doing the sso_util configure shouldn’t break anything other than kerberized services on the OD master
19:01 < SpaceBass2> guess what I’m saying is: I’m ok with risking it
19:01 <@dre^> which means that at works, you have to use standard auth and not kerberos
19:01 <@dre^> s/works/worst/
19:02 < SpaceBass2> I can live with standard for a few days if I have to
19:03 <@dre^> ok so try: sudo sso_util configure -r NSNET.COM -a admin-name all
19:03 <@dre^> where admin-name is your *directory* administraotr
19:03 <@dre^> you will be prompted for a password
19:03 < SpaceBass2> says either us -p or named pipe
19:04 <@dre^> oh, interesting… must be a difference between versions
19:04 <@dre^> try passing -p with no password
19:04 < SpaceBass2> same error
19:04 <@dre^> blah, then do -p <password>
19:04 <@dre^> which is evil and stupid
19:04 <@dre^> 10.5.4 server allows you to get a secure prompt
19:04 < SpaceBass2> guess I can truncate history later :D
19:04 <@dre^> heh *nod*
19:05 <@dre^> hopefully you will see it creating new service principals…
19:05 < SpaceBass2> ok…same error …so I moved -p right after the -a diradmin
19:05 <@dre^> in the form service/vail.nsnet.com/NSNET.COM
19:05 <@dre^> hmm
19:05 < SpaceBass2> creating service princs
19:05 < SpaceBass2> add_principal: Principal or policy already exists while creating “ldap/vail.local@NSNET.COM”.
19:05 <@dre^> bah!
19:06 <@dre^> and you are sure that the ‘hostname’ command does not return vail.local?
19:06 < SpaceBass2> 100%
19:06 <@dre^> oh, I guess this could be keying off the KerberosConfig record…
19:06 <@dre^> maybe we need to re-publish that
19:06 <@dre^> ok let’s see…
19:07 < SpaceBass2> and by the way – if I’m keeping you from something, please say so
19:07 < SpaceBass2> you’v been more than helpful, to say the least
19:07 <@dre^> well thanks :) I kinda wanna solve this, I’m sure i’ll be seeing similar problems from others…
19:07 <@dre^> (I help scrub incomming server bugs)
19:08 < SpaceBass2> I really appreciate the help!
19:08 < SpaceBass2> gotcha – so this is right up your alley then
19:08 < SpaceBass2> although I suspect you dont see many home users with Server
19:09 <@dre^> well, no…
19:10 <@dre^> ok, gotta find how the KerberosClient record can be re-created
19:10 <@dre^> cause that’s where the bad data is coming from
19:10 < SpaceBass2> I’d show you my server cabinet and rack …but its a tad shoddy compared to a real server room
19:10 <@dre^> could very well have been left over from the false start(s)
19:12 < SpaceBass2> humm
19:12 <@dre^> ok how about this
19:12 <@dre^> dscl /Search list /Computers
19:13 < SpaceBass2> livingroom.local$
19:13 < SpaceBass2> livingroom.nsnet.com$
19:13 < SpaceBass2> LKDC:SHA1.2F5BAB71984D985DC0BA0D103C85DC067EF0A22E$
19:13 < SpaceBass2> LKDC:SHA1.64604752011301522B118A9CFE83A95560B194E5$
19:13 < SpaceBass2> LKDC:SHA1.AB999D5B63EDDCDC11B360E1EACB9536849844CC$
19:13 < SpaceBass2> LKDC:SHA1.C1E7E428054307B586CD240141B42583DF46FB5A$
19:13 < SpaceBass2> LKDC:SHA1.C2DA7627FD7C4E44EFE720A00FAE2CE2F76BA9A8$
19:13 < SpaceBass2> LKDC:SHA1.DD1F37D568FCC14ACE2F3935554012B235C87A4C$
19:13 < SpaceBass2> LKDC:SHA1.DD362AEF0FD6C7CBA5664D5FD27818058317ED49$
19:13 < SpaceBass2> osx1
19:13 < SpaceBass2> osx1.local$
19:13 < SpaceBass2> osx1.nsnet.com$
19:13 < SpaceBass2> osx10.local$
19:13 < SpaceBass2> osx10.nsnet.com$
19:13 < SpaceBass2> osx5
19:13 < SpaceBass2> osx5.nsnet.com$
19:13 < SpaceBass2> osx7.local$
19:13 < SpaceBass2> osx7.nsnet.com$
19:13 < SpaceBass2> telluride.nsnet.com
19:13 < SpaceBass2> vail.nsnet.com$
19:13 < SpaceBass2> oops…SORRY
19:13 < SpaceBass2> ment to put that into pastebin
19:13 <@dre^> no worries, butok, vail.nsnet.com is there
19:15 < SpaceBass2> help me understand the $ … is that some kind of wild card
19:15 <@dre^> used for computer records
19:15 <@dre^> maybe only those with a qualified name
19:15 <@dre^> e.g. foo.tld instead of just foo
19:15 <@dre^> and I think only when they are auto-generated
19:16 <@dre^> which is why teh linux box record doesn’t have one
19:16 < SpaceBass2> gotcha
19:16 < SpaceBass2> gotcha
19:17 <@dre^> ok hmmm
19:17 < SpaceBass2> I’ve avoided joining the other machines until I get the issues sussed out
19:18 <@dre^> dscl /Search read “/Computers/vail.nsnet.com$”
19:18 <@dre^> sorry
19:18 <@dre^> dscl /Search read “/Computers/vail.nsnet.com$” cn
19:19 < SpaceBass2> dsAttrTypeNative:cn: vail.nsnet.com$ vail.nsnet.com
19:19 <@dre^> ok
19:20 <@dre^> kdcsetup is the one who writes the KerberosClient record into LDAP
19:22 <@dre^> but it doesn’t appear to be able to only re-write KerberosClient without doing everything else
19:22 <@dre^> so fire up WGM
19:22 <@dre^> go into prefs, turn on the inspector
19:22 < SpaceBass2> k
19:22 < dakine> hey guys, quick question
19:23 < dakine> what do you say you do for a living?
19:23 <@dre^> click the bullseye icon (the right-most above the left-hand list view)
19:23 <@dre^> I work at apple as a seed engineer
19:23 < SpaceBass2> <– healthcare process improvement :D
19:23 <@dre^> software seeding, that is
19:23 < SpaceBass2> looking for inspector
19:24 <@dre^> second checkbox
19:24 <@dre^> (in the wgm prefs)
19:24 < dakine> lol
19:24 < dakine> ok
19:24 < SpaceBass2> see it now
19:24 <@dre^> dakine: in case that isn’t clear, I help mediate communications between external customers with bugs and apple software engineers
19:24 < SpaceBass2> ok…in the bulls eye
19:24 < SpaceBass2> also new to me
19:25 < dakine> ah
19:25 <@dre^> from the pop-up menu, select Config
19:25 < dakine> so you are the middleman
19:25 <@dre^> well I hate that term, heh
19:25 < dakine> cause the software engineers arent people persons
19:25 <@dre^> middleman implies that I’m good for nothing ;)
19:25 < dakine> lol
19:25 < dakine> listen
19:25 < dakine> nothing gets done without the middle man
19:26 <@dre^> space: then select KerberosClient
19:26 < dakine> its just the problem givers and the problems solvers in communicado
19:26 <@dre^> then select XMLPlist and click Edit below
19:26 < dakine> anyways I am off
19:26 <@dre^> later dakine :)
19:26 < SpaceBass2> im there
19:26 < SpaceBass2> later dakine
19:26 <@dre^> fix the hostnames
19:26 <@dre^> vail.local becomes vail.nsnet.com
19:27 < SpaceBass2> k
19:27 <@dre^> and increment the generation ID by one
19:27 <@dre^> (at the bottom)
19:27 < SpaceBass2> fixed
19:27 <@dre^> the generation ID is how the client tells if its local version of the config is stale
19:28 < SpaceBass2> ah
19:28 < SpaceBass2> that long integer at the btm?
19:28 <@dre^> yes
19:28 < SpaceBass2> k
19:29 <@dre^> click OK to comit the changes
19:29 <@dre^> click Save if it’s lit up
19:29 < SpaceBass2> k
19:29 <@dre^> go back to the client and run sudo kerberosautoconfig
19:29 <@dre^> (we’ll do the server next if this works)
19:29 <@dre^> then examine edu.mit.Kerberos on the client
19:30 <@dre^> the kdc and kdc admin server should be reported as vail.nsnet.com
19:30 < SpaceBass2> yep
19:30 < SpaceBass2> it is
19:30 <@dre^> ok great
19:30 <@dre^> same thing on the OD master
19:30 < SpaceBass2> on the master huh?
19:30 < SpaceBass2> k
19:30 <@dre^> aye
19:31 < SpaceBass2> done
19:31 <@dre^> now we want to sso_util configure again, same as before… lemme double check the usage
19:31 <@dre^> sudo sso_util configure -r NSNET.COM -a whatever -p whatever all
19:32 <@dre^> now you shoudl get correct keytabs
19:32 <@dre^> if so, that *should* be it
19:32 < SpaceBass2> still got warnings about the .local :(
19:33 <@dre^> BAH
19:33 <@dre^> and you did check that it got an updated edu.mit.kerberos, right?
19:33 <@dre^> the od master
19:33 < SpaceBass2> yeah
19:34 < SpaceBass2> its correct
19:34 <@dre^> hmm
19:34 <@dre^> oh, uhm..
19:34 <@dre^> well no, not a stale DS cache if hte on-disk file is correct
19:35 < SpaceBass2> yeah, checking /L/P/edu…
19:35 -!- Azhi_Dahaka [n=Azhi@unaffiliated/azhidahaka/x-172934] has quit []
19:36 <@dre^> oooo
19:36 <@dre^> I think I know :)
19:37 <@dre^> you might have an ‘upgraded’ sso_util
19:37 <@dre^> from tiger
19:37 <@dre^> md5 /usr/sbin/sso_util
19:37 <@dre^> paste results pls
19:37 < SpaceBass2> its a fresh install from leopard
19:37 <@dre^> oh dammit
19:37 < SpaceBass2> its a one liner
19:37 < SpaceBass2> MD5 (/usr/sbin/sso_util) = 32a7a95f3e49502ddb0863583c30410d
19:37 < SpaceBass2> 10.5.3 remember
19:38 <@dre^> ppc?
19:38 < SpaceBass2> yeah …
19:38 < SpaceBass2> g4
19:38 <@dre^> k, no problem. but that probably explains why its different from mine
19:38 <@dre^> actually..
19:38 <@dre^> file /usr/sbin/sso_util
19:38 <@dre^> paste results
19:38 < SpaceBass2> if I buy an xserver my wife call it quits
19:39 <@dre^> heh, they are big and loud
19:39 < SpaceBass2> http://pastebin.ca/1061784
19:40 < SpaceBass2> can’t be louder than my 2u linux box :D
19:40 < SpaceBass2> but might be hotter
19:41 <@dre^> just looking for both a ppc and i386 image, that’s all…
19:41 <@dre^> not really taht important.
19:41 <@dre^> hmm, there’s supposed to be an sso_util debug mode…
19:42 < SpaceBass2> is sso_util unique to OSX?
19:42 <@dre^> here we go
19:42 <@dre^> this is gonna be big-ass
19:43 <@dre^> same sso_util command, but add: -v 7 after configure and before -r
19:43 <@dre^> and pastebin results
19:43 < SpaceBass2> which cmd?
19:43 < SpaceBass2> the confgure ?
19:43 < SpaceBass2> configure ?
19:43 <@dre^> sso_util configure -v 7 …
19:44 < SpaceBass2> any second Im going to forget and pastebin the admin passwd
19:45 <@dre^> well at least your conscious of that possibility ;)
19:46 < SpaceBass2> http://pastebin.ca/1061791

http://dreness.com/bits/tech/applied_kerberos_troubleshooting/paste2

19:46 <@dre^> I suspect that the GerPrimaryHostName block will contain the error…
19:47 <@dre^> oh snap, do you have multiple IPs on the od master?
19:47 < SpaceBass2> leme check – I did under tiger server, but didn’t tink I did any more
19:48 <@dre^> man pastebin.ca needs an upgrade
19:48 <@dre^> still loading… there it goes
19:48 <@dre^> shit
19:48 < SpaceBass2> I had to do it under tiger b/c I did a DNS move (migrated from Windows Server…what a mistake that was) … but thats a long story
19:49 < SpaceBass2> yeah…still have two IPs
19:50 < SpaceBass2> don’t need the 2nd anymore since I’m not doing VPN on the OSX server anymore
19:50 <@dre^> yep foudn the problem
19:50 <@dre^> line 433
19:51 < SpaceBass2> <CFArray 0x10ec80 [0xa07e7174]>{type = immutable, count = 2, values = (
19:51 < SpaceBass2> ?
19:51 <@dre^> heh, no not that specific line
19:51 <@dre^> but that begins a block…
19:51 <@dre^> 432: GetPrimaryHostName
19:51 <@dre^> then it steps through your network interfaces
19:52 <@dre^> in the two blocks that follow
19:52 <@dre^> for each interface, you see attributes like family, dnsName, name, serviceName, etc
19:52 <@dre^> note that the second one has isPrimaryIPv4Interface
19:52 < SpaceBass2> brb….going to change root on several computers
19:52 <@dre^> guess which one that is :)
19:52 <@dre^> good idea
19:53 <@dre^> you *should* be able to solve this by simply setting 10.1.1.5 as your primary address
19:53 <@dre^> which you can do by drag / drop in the network prefpane’s list of interfaces (under ‘change network service order’, from the gear menu)
19:54 <@dre^> woohoo, we found the problem!
19:54 < SpaceBass2> one sec…
19:55 <@dre^> do you mind if I post this chat log to my blog?
19:55 < SpaceBass2> and I created a huge one
19:55 <@dre^> yeah, heh. happens to everybody at one time or another…
19:55 < SpaceBass2> no, please do…I was going to ask you if I could keep it too
19:55 <@dre^> just be fast about changing and double-check access logs…
19:56 <@dre^> I’ve actually typed passwords directly into IRC before, when I thought a certain window had focus but between the time that it had focus and the time I typed the password, something caused a change in window focus…
19:56 <@dre^> like an errant mouse click, for instance…
19:56 < SpaceBass2> ok… ssh closed …. passwords changed
19:57 * SpaceBass2 wipes brow
19:57 <@dre^> so anyway, do you see what’s going on line 432?
19:57 <@dre^> “going on on line 432″
19:58 <@dre^> “GetPrimaryHostName”… this result will be used to form the server name portion of the kerberos service principal
19:58 < SpaceBass2> leme look
19:59 <@dre^> looking at the two blocks directly following (434 – 439 and 441 – 448), you can see attributes that look like they are related to network interfaces
19:59 <@dre^> like ipAddress, dnsName, family, etc
19:59 < SpaceBass2> ahhhh
19:59 < SpaceBass2> snap!
19:59 <@dre^> so the bonus question is:
19:59 <@dre^> how does the system determine what the primary hostname is?
19:59 < SpaceBass2> of course
19:59 <@dre^> look at the differences in the attributes for each interface
19:59 < SpaceBass2> there’s no DNS entry for the 2nd interface
20:00 <@dre^> well… they both have dnsName
20:00 <@dre^> but what attribute is present for one but not the other?
20:00 < SpaceBass2> looking
20:00 <@dre^> ok there’s two… userDefinedName, and one other… the other one is the key :)
20:01 < SpaceBass2> yep… .nsnet.com vs .local
20:01 < SpaceBass2> binbo
20:01 < SpaceBass2> bingo
20:01 <@dre^> no no
20:01 <@dre^> keep looking
20:01 <@dre^> how does it know which of those to choose?
20:01 < SpaceBass2> en0?
20:01 <@dre^> nope
20:01 <@dre^> which attribute is present for one but not the other?
20:01 < SpaceBass2> ok…leme keep looking
20:01 <@dre^> besides userDefinedName
20:01 < SpaceBass2> dont tell me
20:02 <@dre^> en0 is not an attribute, it’s a value
20:02 < SpaceBass2> d’oh
20:02 < SpaceBass2> isPrimaryIPv4Interface = true
20:02 <@dre^> the attribute that corresponds to en0 is ‘name’, as in the bsd name of the interface
20:02 <@dre^> yep, that’s the one
20:02 < SpaceBass2> I’m actually laughing out loud
20:02 <@dre^> so then, how do you set which is the primary interface? :)
20:02 < SpaceBass2> never in a million years
20:02 < SpaceBass2> well now, thats a good question
20:03 <@dre^> there is a very easy GUI answer, also :)
20:03 < SpaceBass2> b/c the one it identifies as primary is actually a copy
20:03 <@dre^> and that’s perfectly legit
20:03 < SpaceBass2> I’m guessing you go into network prefs and drag it first
20:03 <@dre^> yep!
20:03 < SpaceBass2> ALRIGHT!
20:03 <@dre^> the top-most active interface is the primary
20:03 <@dre^> you should be able to simply make that change and re-run sso_util
20:04 < SpaceBass2> ok …what if I just delete it?
20:04 < SpaceBass2> since I dont need it?
20:04 <@dre^> well… that could be a problem
20:04 < SpaceBass2> ok
20:04 <@dre^> because when you promote to master, the primary hostname / address is encoded in several spots
20:04 <@dre^> but no fear: changeip to the rescue
20:05 <@dre^> so you want to changeip over to .15 / vail.nsnet.com
20:05 <@dre^> see the changeip manpage for examples
20:05 < SpaceBass2> ok,… the one listed as primary is actually 2nd in the gui
20:05 <@dre^> really?!?
20:05 < SpaceBass2> yeah
20:05 <@dre^> well, which gui
20:05 <@dre^> are you in ‘change network service order’, or the overview?
20:06 <@dre^> sorry, ‘set network service order’, under the gear menu
20:06 < SpaceBass2> http://www.flickr.com/photos/nickdawson/2634507389/

20:06 <@dre^> which is just above the lock
20:06 <@dre^> ya, click the gear icon
20:06 <@dre^> ‘set network service order’
20:06 < SpaceBass2> modem, if1 (.15) firewire if2 (.17)
20:07 < SpaceBass2> .17 is the one set as .local and primary and is not needed
20:07 <@dre^> .17 should appear above .15 in the ‘set network service order’ list
20:07 <@dre^> since it is in fact the primary, and that list order is supposed to be what defines the primary
20:08 <@dre^> on the ohter hand
20:08 <@dre^> most of hte system appears to believe that vail.nsnet.com is the primary hostname
20:08 <@dre^> which suggest that somehow, somewhere, the network config got confused
20:08 <@dre^> what I would try is simply dragging .17 to the top, and then dragging .15 to the top
20:09 <@dre^> which should re-set the isPrimaryIPv4Interface to be correct
20:09 < SpaceBass2> back…had to get power
20:09 < SpaceBass2> http://www.flickr.com/photos/nickdawson/2635335214/

20:10 <@dre^> yeah just try dragging ‘ethernet’ to the top
20:10 <@dre^> er sorry
20:10 <@dre^> oh wow
20:10 <@dre^> no this is very broken
20:10 <@dre^> lol
20:10 < SpaceBass2> lol!
20:10 <@dre^> both of those interfaces claim to be ‘en0′
20:11 <@dre^> which is theoretically impossible
20:11 < SpaceBass2> well, in linux-speak … en1 and en1:1
20:11 <@dre^> right, but when you create virtual interfaces in os x, they each get unique bsd names
20:11 < SpaceBass2> in other words 10.1.1.17 is a vitrual IP
20:11 < SpaceBass2> right
20:11 < SpaceBass2> and bsd interface names baffle me :D
20:12 <@dre^> hmm… actually maybe I’m wrong about that. ifconfig would show them in teh same physical interface
20:12 <@dre^> os maybe this isn’t horribly broken as I thought
20:12 <@dre^> but they are definitely ordered wrong, or at least the OS thinks they are
20:12 <@dre^> (you can use ifconfig to read, but should not use it to change settings)
20:12 < SpaceBass2> how detrimental would it be to delete the virtual IP?
20:12 <@dre^> (the os x equivalent is ipconfig)
20:13 <@dre^> probably not very, since your system already thinks it is vail.nsnet.com
20:13 < SpaceBass2> yeah, I know ifconfig :D …
20:13 <@dre^> except for this one little piece of configuration which is wrong
20:13 <@dre^> but just to be safe, disable it instead of deleting
20:13 < SpaceBass2> ok
20:13 <@dre^> gear –> make service inactive
20:13 <@dre^> that way you can always turn it on if something assplodes
20:14 < SpaceBass2> is that the same as ifconfig <interface> down ?
20:14 <@dre^> yes, but don’t do that in os x
20:14 <@dre^> you should only use ifconfig to read settings, not write them
20:14 < SpaceBass2> yeah?
20:14 < SpaceBass2> you mentioned that
20:14 <@dre^> (because ifconfig bypasses the system frameworks that are used by the rest of the OS)
20:15 < SpaceBass2> I always have to remind myself that bash in osx is truly just a shell
20:15 <@dre^> so you could make a change, but hte OS doens’t know the change was made (only the very low networking layers), and so e.g. network prefs would be totally ignorant of the change
20:15 < SpaceBass2> which is arguably the way it should be
20:15 <@dre^> if you want to make network changes from the cli, use ipconfig or networksetup
20:16 <@dre^> so disable the interface and re-run sso_util
20:16 <@dre^> brb, potty
20:16 < SpaceBass2> jawdrop – ipconfig is a binary in 10.5 … wow
20:18 < SpaceBass2> ok … re-ran and same result …still .local
20:18 < SpaceBass2> but I feel that we are very close :D
20:18 <@dre^> hmm
20:18 <@dre^> let me see that relevant hunk of sso_util configure -v 7 output
20:19 < SpaceBass2> Entry for principal ftp/vail.local@NSNET.COM with kvno 7, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
20:19 <@dre^> the part where it detects network name
20:19 < SpaceBass2> leme get it
20:19 <@dre^> GetPrimaryHostName
20:20 < SpaceBass2> http://pastebin.ca/1061809

http://dreness.com/bits/tech/applied_kerberos_troubleshooting/paste3

20:21 <@dre^> (loading)
20:24 <@dre^> well tha’ts bizarre…
20:24 <@dre^> it still think vail.local is primary
20:26 <@dre^> maybe you will need to delete .17
20:26 <@dre^> it could also be that the settings are horked enough that you cannot change them
20:26 < SpaceBass2> yeah, not ruling that out
20:26 <@dre^> (you did remember to click Apply right?)
20:26 <@dre^> in network prefs…
20:27 < SpaceBass2> heck, let me delete it and see
20:27 < SpaceBass2> yeah, closed prefs and re-opned even
20:28 < SpaceBass2> BOOM!
20:28 < SpaceBass2> removed it and bingop
20:28 < SpaceBass2> bingo
20:28 < SpaceBass2> xmpp/vail.nsnet.com@NSNET.COM
20:28 <@dre^> woot!
20:28 < SpaceBass2> high-five!
20:28 <@dre^> ^5 :)

Epilogue: After re-reading this, I realized that his afp server is actually a separate host from his OD master (vail), but the same troubleshooting steps apply… so in the end, I might not have actually fixed the AFP mounting problem, but we did fix at least *some* problems :)

Finally: if anyone knows how to make WordPress not DELETE AN ENTIRE POST when you paste in a chunk of text that is too big; or, how to adjust this threshold, please tell me. This post took entirely too long to compose, as I had to move text around in increasingly smaller chunks to work around this problem.